Monthly Archive for June, 2008

Cute + Malicious == Deadly

Published on June 28, 2008 in Exploits, Physical Security, Social Engineering, Targeted Attacks and Windows. 0 Comments

In a recent (experimental only) project, I followed one of the multiple guides such as this one on how to make a Lego case for a USB stick. To top it off, I loaded the Hak5 Switchblade packages on the sticks. When used with U3 USB autorun technology, these packages allow automatic theft of various personal data upon insertion of the stick into a Windows computer. Now, doesn’t this just crush the competition (a regular USB stick lost in the parking lot)?

The Mona Lisa

Continue reading ‘Cute + Malicious == Deadly’

Security Meetup June 18th Cancelled

Published on June 13, 2008 in Uncategorized. 0 Comments

Go to the OWASP meeting instead!

Security Prediction Markets

Published on June 11, 2008 in Uncategorized. 0 Comments

A few days ago, Adam Shostack over at the Emergent Chaos blog invited some comments about using prediction markets for security-related events/decisions. This is a topic I’ve discussed quite a few times with a friend of mine and I have some fairly strong opinions about it (it’s a dead end), so I made a few quick statements pointing out its shortcomings. In a follow-up article, Adam quoted one of my responses in the article itself! I thought his comments and my response were relevant enough to repost here, but if this is a topic that interests you I encourage you to read both of the original articles and leave a comment there.

Quoted from Adam’s follow-up post:

Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”

I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?

Continue reading ‘Security Prediction Markets’

Security Videos #2 Meeting Report

Published on June 4, 2008 in Events and Videos. 0 Comments

We had a much larger turnout this time around. There were probably about 10 serious people with a few more in and out. We got a special presentation from a friend of ours who wanted to practice his Blackhat talk, so we didn’t end up watching any videos.

The agenda ending up being:

  • Blackhat presentation dry-run.
  • Aleksey reversed some storm malware, found a carding forum, and broke into it! He showed us some of the things he learned about their community by looking through the forum.
  • Aleksey talked about his experience competing in the Defcon CTF prequals this weekend. All the questions from the competition are already up at Nops R’ Us but Aleksey was kind enough to upload his own work to the ISIS webserver.
  • Erik and I made fun of Synology for all the bugs we found in their webapps this weekend. I’m waiting to release anything publicly until I have proof of concept exploits.